Privacy Policy

Last updated: October 2025

1. Introduction

Welcome to Craft (“we,” “our,” or “us”). We operate the AI video generation platform at craft.video. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered video creation service.

By using our service, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

Personal and Account Information

  • Email address (for account creation, authentication, and notifications)
  • Profile details you choose to provide (such as display name or avatar)
  • Usage preferences, saved prompts, and feature settings
  • Support communications and feedback submissions

Payment and Transaction Data

  • Payment intent identifiers, billing ZIP/postal codes, and card country (processed securely through Stripe)
  • Crypto payment details such as wallet addresses, transaction hashes, token amounts, and confirmation status when you choose to pay with USDC
  • Credit balance, purchase history, refund status, and invoice records
  • Referral and affiliate identifiers associated with purchases

Content and Usage Data

  • Text prompts, scripts, and descriptions you provide for video or audio generation
  • Generated video and audio assets, thumbnails, and related metadata (duration, aspect ratio, model used)
  • Audio files and recordings uploaded to our platform
  • Community showcase submissions and opt-in promotional assets
  • Usage patterns, segment interactions, quality selections, and performance metrics
  • Technical information including IP address, browser type, device identifiers, operating system, and session timestamps

Developer and Security Data

  • API keys, webhook URLs, and access tokens generated for your account
  • Request logs, rate-limit usage, and error reports tied to your integrations
  • Security events, hCaptcha challenge responses, and fraud-prevention signals

Cookies and Device Data

  • Cookie preferences (required, analytics, marketing) captured through our consent banner
  • Analytics data such as page views, referral URLs, and feature adoption (when cookies are enabled)
  • Diagnostic data used to measure app performance, crash reports, and loading times

3. How We Use Your Information

  • Video and Audio Generation: Process your prompts, media, and configuration choices to create AI-generated content using Google Cloud Vertex AI (Veo 3 family) and, when enabled, OpenAI Sora 2 services
  • Service Delivery: Operate, maintain, and optimize platform features including canvas editing, segment management, and community sharing
  • Account Management: Authenticate users, track credit balances, enforce rate limits, and deliver customer support
  • Payments: Facilitate Stripe transactions, reconcile crypto payments, issue invoices, and prevent fraudulent activity
  • Referral and Affiliates: Attribute referrals, calculate rewards, and prevent abuse of promotional programs
  • Analytics and Personalization: Measure feature adoption, improve user experience, and honor cookie preferences
  • Security: Detect and mitigate spam, abuse, and unauthorized access using logging, hCaptcha, and automated monitoring
  • Community Features: Display opt-in showcase submissions and moderate content for policy compliance
  • Developer Tools: Provide API access, webhooks, and integration troubleshooting
  • Communication: Send transactional emails, service updates, and respond to inquiries or bug reports
  • Legal Compliance: Comply with financial, tax, anti-money laundering, and other legal obligations

We do not use your prompts, uploads, or generated media to train third-party AI models without your explicit consent.

4. AI Processing and Third-Party Services

Google Cloud Vertex AI (Veo 3 family)

Our core video generation pipeline runs on Google Cloud Vertex AI. When you create videos:

  • Your prompts, audio tracks, and configuration parameters are securely transmitted to Google Cloud for processing
  • Google processes this data only to generate the requested media and returns the output to our platform
  • Processing is governed by Google's Cloud Privacy Notice and Data Processing Agreement
  • We do not allow Google to use your content for model training or marketing purposes

OpenAI Sora 2 (Optional)

Certain premium models leverage OpenAI Sora 2 or Sora 2 Pro. When enabled for your account:

  • We send your prompts and selected configuration fields to OpenAI's API for rendering
  • OpenAI processes this data solely to return generated media according to their Data Processing Addendum
  • We do not permit OpenAI to retain or reuse your content for training unless you expressly opt in

Audio Providers

Voice synthesis and sound design may be performed by ElevenLabs, Google Cloud Text-to-Speech, or Amazon Polly, depending on the voice you select.

  • We transmit the relevant voice script and configuration to the chosen provider
  • Providers return audio files that we merge into your video project
  • Each provider's privacy policy governs their handling of the submitted text and generated audio

Payment Processing

Card payments are processed by Stripe, Inc. We do not store full card numbers or CVV codes on our servers; Stripe provides tokenized payment identifiers. Stripe's privacy policy governs their data handling.

Crypto Payment Verification

When you pay with USDC, we use an Ethereum-compatible node (configured via CRYPTO_RPC_URL) to verify on-chain transactions. Transaction hashes, wallet addresses, and amounts are checked against smart contract logs to confirm delivery.

Security and Abuse Prevention

We employ services such as hCaptcha and optional analytics tools (e.g., Google Analytics, when consented) to protect the platform and understand usage. These providers receive limited technical data needed to operate their services.

5. Data Storage and Security

  • Encryption: All data is encrypted in transit using TLS and at rest using AES-256
  • Access Controls: Strict access controls limit data access to authorized personnel only
  • Data Centers: Data is stored in secure, SOC 2 compliant cloud infrastructure (Google Cloud) with managed Redis caches and PostgreSQL databases
  • Segregation: Payment records, crypto verifications, and referral analytics are stored in separate schemas with role-based permissions
  • Monitoring: Continuous security monitoring, anomaly detection, and regular security audits
  • Incident Response: Comprehensive incident response procedures for data security events
  • Blockchain Data: Although blockchain transactions are public, we store associated wallet information and transaction hashes in encrypted form for reconciliation and compliance

6. Data Retention

  • Account Data: Retained for the duration of your active account
  • Generated Videos: Stored for 90 days by default, with options for extended storage
  • Usage Logs: Retained for 12 months for service improvement and security purposes
  • API and Security Logs: Retained for up to 18 months to investigate abuse, maintain audit trails, and comply with platform policies
  • Payment & Crypto Records: Retained for at least 7 years to satisfy tax, accounting, anti-fraud, and anti-money laundering obligations
  • Referral & Affiliate Data: Retained for 24 months to calculate rewards and prevent duplicate claims
  • Deleted Accounts: Personal data is permanently deleted within 30 days of account deletion, subject to legal retention requirements

7. Sharing and Disclosure

We do not sell, trade, or rent your personal information. We may share information only in these circumstances:

  • Service Providers: With trusted third parties who assist in operating our platform, including Google Cloud (hosting, AI processing), OpenAI (optional models), ElevenLabs/Google TTS/Amazon Polly (audio), Stripe (card payments), Ethereum node providers (crypto verification), email delivery services, and analytics or consent tools
  • Security & Fraud Prevention: With vendors such as hCaptcha or risk monitoring tools to protect our users and infrastructure
  • Legal Requirements: When required by law, court order, or governmental authority
  • Safety and Security: To protect our users, prevent fraud, or address security issues
  • Business Transfers: In connection with mergers, acquisitions, or sale of assets (with user notification)
  • Consent: When you explicitly consent to sharing your information

8. Your Rights and Choices

  • Access: Request copies of your personal data
  • Correction: Update or correct inaccurate information
  • Deletion: Request deletion of your personal data (subject to legal obligations)
  • Portability: Receive your data in a machine-readable format
  • Restriction: Limit how we process your data
  • Objection: Object to certain data processing activities
  • Withdrawal: Withdraw consent where processing is based on consent
  • Community Visibility: Opt out of having your content displayed in the community showcase or marketing materials
  • Cookie Preferences: Adjust analytics and marketing cookie settings through the consent banner at any time

To exercise these rights, contact us at privacy@craft.video. While blockchain transactions cannot be altered on-chain, we can remove associated records from our internal systems where legally permissible.

9. International Data Transfers

Our services are hosted globally. If you access our service from outside the United States, your information may be transferred to, stored, and processed in the United States, the European Union, or other regions where our providers (Google Cloud, OpenAI, Stripe, and others) operate. We implement appropriate safeguards—such as Standard Contractual Clauses, encryption, and access controls—to protect your data during international transfers.

10. Children's Privacy

Our service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you become aware that a child has provided personal information, please contact us immediately.

11. California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information is collected and how it's used
  • Right to delete personal information
  • Right to opt-out of the sale of personal information (we do not sell personal information)
  • Right to non-discrimination for exercising CCPA rights
  • We collect the following categories of personal information: identifiers (email, wallet address), commercial information (credit purchases, referral rewards), Internet activity (usage logs), audio/visual content you upload, and inferences derived from analytics

12. European Privacy Rights (GDPR)

If you are in the European Economic Area (EEA), you have rights under the General Data Protection Regulation (GDPR), including the rights listed in Section 8. Our lawful basis for processing includes:

  • Contract: To provide our video generation services
  • Legitimate Interest: To improve our services and prevent fraud
  • Consent: For marketing communications (where applicable)
  • Legal Obligation: To comply with applicable laws

13. Updates to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by:

  • Posting the updated policy on our website
  • Sending email notification for significant changes
  • Displaying a prominent notice on our platform

Continued use of our service after changes become effective constitutes acceptance of the updated policy.

14. Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us:

  • Email: privacy@craft.video
  • General Contact: hello@craft.video
  • Website: craft.video

We will respond to your inquiry within 30 days.

© 2025 Craft. All rights reserved.